@0xtarafans and @i2huer

Produced by PNM x Narya Labs

We are focused on dissecting crypto/Web3 exploits in the real world

TL;DR

On March 20, 2022, LI.FI., a cross-chain bridge aggregation protocol was hacked with a loss of ~$600K. The attacker exploited a bug in the smart contract on Ethereum.

Transaction

Exploit

A functional PoC of the hack developed by PNM white hats

postmortem/2022/lifi at main ยท PwnedNoMore/postmortem

Vulnerability

CBridgeFacet is the vulnerable smart contract that delegates the cross-chain token transfer requests to CBridge.

Supposing not having the targeted token (_cBridgeData.token) to be transferred cross the chains, we can call the public function swapAndStartBridgeTokensViaCBridge() of CBridgeFacet.